I am using Yii2 RBAC DbManager and it works quite well. Though, it works for simple cases, I have a complex requirements that requires customizing default rbac setup and would love to hear your opinions
I am building a school management system. The requirement is each school would need its own RBAC
same permissions name (such as "manage course" , "manage student")
roles are tied to each school specifically
** a school can not see other school roles (e.g. when schoolA goes to Role Management page, only Role belongs to school A show)
** schools can use the same name (such as , school A has "Administrator" as a role, school B has "Administrator")
Obviously, the requirements ask for new columns in default rbac tables. I dont know what to do
Should I extend the dbmanager ? Is it too difficult to do ?
Should I use ActiveRecord (ignore authmanager methods) to handle roles/permission ?
You obviously need a rule called "can administrate own school".
There are a lot of RBAC extensions that can help make the process of creating a RBAC easier, but I don’t think you need to extend the RBAC dbmanager at all.
Try to reconsider your RBAC hierarchy, especially the role that you have named “Administrator”. Is it really the administrator of your whole app? Or, in other words, does a school really need “Administrator”? No, I don’t think so. A school only needs "SchoolAdmin"s who have the right to administrate their own school.
what I understood from the post he is asking for different roles for each school possibly same name. but if you can do reverse where an administrator can have access to multiple schools then you don’t need to extend the dbmanager.
Thank you for all the feedbacks. I would like to give more details so we are all in the same understanding.
I have a set of permission name: "manage course", "manage employee", "manage student". These permissions are fixed and can not be changed.
1 school can have many users. 1 user can be assigned to 1 role. 1 role can have 1 or more permissions.
For example:
Role = "School Administrator" has "manage course", "manage employee", "manage student" permissions
Role = "Teacher" has "manage course" and "manage student" permissions
When a school is created, an "admin" type role is created and assigned to a user so he/she can start managing the school. The user can add new roles (e.g. Teacher) and assign "Teacher" role to other users. the school is free to create as many roles as they like.
The issue with current RBAC to the best of my knowledge are:
school A user can view/update/delete school B roles and vice versa
RBAC/DbManager can not distinguish role with same name (e.g. school A create "Teacher" role and school B also has "Teacher" role, I am having issue when I try to update "Teacher" role, which "Teacher" role ? school A or school B? )
As a starting point, you can add the permission "manageOwnSchool" to the Administrator and the permission "useOwnSchool" to the Teacher - call them whatever you want - and attach a Rule to each of them.
Then add the rest of the permissions as children to each of them.
It would probably be a good idea to add a SuperAdministrator that is able to administrate everything.
I see @jacmoe wasn’t able to answer your question. I think the issue is that the role name is the primary key on the auth_item table. Did you ever come up with a solution for this? If so, would you mind sharing it with me please? I am in the same situation with my current project.
No, it was @nguyendh that failed to understand what @jacmoe had said.
In RBAC system, it is not a common practice to permit the end users ("jacmoe" and "nguyendh") a right to "create" RBAC items like roles and permissions. It is, IMO, a bad idea. The end users should only be granted to assign or revoke pre-defined roles, even if they have administrative roles.